Leaktests: Should they be considered in selecting a Firewall?

Discussion in 'other firewalls' started by Rmus, Aug 28, 2005.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I’ve not thought much about firewall leaktests in a long time. But recently, a friend whom I helped set up a computer a few years ago phoned. She had read about firewall leaktests, and was concerned about a survey of firewalls which listed her firewall as failing most of the tests. I directed her to one of the leaktest sites, and she was surprised that she passed most of them. (Not because of the firewall, though). She was somewhat relieved, and I also pointed out to her that in her 3+ years of computing/surfing, she had experienced no unwanted intrusions.

    What is a firewall? (we’ll limit it to software firewall) Write down your own definition, then search the internet for ‘firewall definition.’ You may be surprised that there is no consensus as to what a firewall is, and may also wonder if any two are talking about the same thing.

    Here is an interesting one from thefreedictionary.com:
    ------------------------------------------------------------------------------------
    In Computer Science: Any of a number of security schemes that prevent unauthorized users from gaining access to a computer network or that monitor transfers of information to and from the network.
    -------------------------------------------------------------------------------------

    When I decided to get a firewall, I consulted my knowledgeable friend who had helped in my early days of computing. He described a firewall to me as a tool which monitored inbound packets and your outbound traffic, allowing you to set up rules for all of your ports, and set up rules for the applications that connected out to the internet. Many in my group of friends adopted the same philosophy, and our logs showed how all inbound attempts via ports (135,139, 445, etc) to exploit Windows vulnerabilities were effectively blocked, and how you could block applications from connecting out if you desired: WMP configuration utility, for example. All was nice and rosy.

    Then, at the end of 2000, GRC created a Leaktest. GRC may have been the first to use the term "extrusion:"
    -------------------------------------------------------------
    Not only must our Internet connections be fortified to prevent external intrusion, they also provide secure management of internal extrusion. Any comprehensive security program must safeguard its owner by preventing Trojan horses, viruses, and spyware from using the system's Internet connection without the owner's knowledge.
    --------------------------------------------------------------

    Notice the word "firewall" is not used, rather, "security program." Yet, it became assumed that the firewall was the tool to "safeguard its owner by preventing Trojan horses, viruses, and spyware from using the system's Internet connection." No one in the industry questioned that assumption, although some of my knowledgeable friends were grumbling about it.

    From that point forward, other companies developed leaktests. All leaktests do is to show that firewalls aren't very good at what they weren't designed to do.

    A real fear of these possible exploits became so widespread, that no firewall company dared sit on the sidelines without adding this type of protection to their product. It’s interesting how the leaktests acquired an enormous sense of power, as if put up on a throne, to which the firewall companies willingly bowed, followed by consumers willingly falling in line to test their firewall. From the pcflank site:

    ----------------------------------------------------------------------
    Firewall developers comments on results:

    Look'n'Stop editor
    Thank you for considering Look 'n' Stop in your personal firewall comparison. We will include the Application Filtering as a default setting in our official 2.03 release.


    Elisha Riedlinger, Sygate Technologies, Inc.:
    Thank you for notifying us about this. We are currently working on an enhancement to be able to block TooLeaky.


    Te Smith, Zone Labs Inc.:
    First of all, we do plan to put a stop to TooLeaky in our products. I don't have an exact ETA for releasing, but when we make that release, we'll be sure to send you a note so you can run your tests again.


    McAfee
    Our software Development team is working on this so once we are through we will let you know soon. We thank you for bringing this to our notice. We will sincerely follow your suggestions to improve the standard of our product.


    Mikhail Zakhryapin, Agnitum Ltd.:
    Thank you for providing us with the results of the tests. We are aware that Outpost Firewall has not passed all five leak tests because we have performed internal tests here at Agnitum. Alpha version of Outpost Firewall that we are testing right now is able to block all these leak tests. We plan to release it for public in the middle of April.
    ------------------------------------------------------------------------

    Now, on the surface, that would seem like a good example of competition in the marketplace: products scurrying to keep up with each other. But this has created a nightmare for the user wanting a firewall, as these products become large and almost unwieldy in some cases. Just search this firewall forum to see the dilemma created for many users: afraid that their current firewall didn’t pass some of the leaktests, or doesn’t offer this or that type of application filtering, etc.

    Being atrracted to the concept of a firewall as I described above, I had hoped that simple firewalls that "are valuable for their ability to block incoming attacks" would be continued/supported, and leave the dealing with other exploits to products that handle them before they get to the firewall.

    But that hasn’t happened, and most companies have abandoned that concept and jumped on the "suite" idea (for lack of a better word at the moment) - Kerio 4 being a good example. That will present continuing problems, as illustrated by this observation on the idea of outbound filtering by the firewall, by Robin Keir, creator of the leaktest, "firehole:"
    --------------------------------------------------------------------------
    He told Newsbytes that other techniques are likely to be discovered for defeating outbound filtering, and that the development suggests that blocking leaks is "a race the firewall makers will never win." Nonetheless, Keir said he still believes personal firewalls are valuable for their ability to block incoming attacks.
    -----------------------------------------------------------------------

    The leaktests act like trojans (backdoors) and show that the firewall's outbound filtering protection can be bypassed. They fall into several categories:

    1) those that take advantage of the fact that firewalls give trusted outbound access to our browser

    2) those inject code (dll injection)

    3) those like YALTA: "...creates a virtual device driver that sends data to any Internet address without being detected by firewalls..."

    There are several things to consider.

    First, what is the probability of one of these exploits occurring on your computer? The Zonelab comment above includes this about the leaktest, "Firehole":
    ----------------------------------------------------
    Because FireHole is a theoretical exploit at this time (we're not aware of any known instances in the wild, but are on the lookout and would be very interested to hear of any you come across)…
    -----------------------------------------------------

    I looked at the descriptions of many recent trojans, and didn’t find any that used those exploits. I also posted to two different forums asking if anyone had any documented occurrences of this, and none were submitted

    Second, remember, they are trojans, and one should already have preventative measures in place against trojans. Remember also, these leaktests only succeed because the user permits the test executable (a trojan) to download. Ask yourself, what is the probability of that happening on your computer?

    Third, should a trojan inadvertently sneak in, in order to do anything it has to execute: unpack a driver, dll, etc.

    It’s been demonstrated that various other security products can protect against those exploits. ProcessGuard, for example, has numerous examples on their website showing how these exploits can be blocked before they get to the firewall. Other anti-execution programs block the unpacking of drivers and dlls. New HIPS programs are also offering that type of protection.

    Using a firewall as the security tool for this, presents problems for the user as firewalls become more complex, creating other dilemmas: overlapping, and conflicts.

    We are starting to see in these forums where it’s pointed out to users that several of their products overlap. In some cases, not a problem. But some are confused as to which program kicks in first, and in a few instances, users have had to uninstall a program because of conflicts. It’s being recognized, for example, that more than one program meandering down at the kernel level can cause problems. (this also showing up between two different HIPS programs as well as between a firewall and another program.)

    There is a sense in these forums that people often load up on products without understanding the coverage of each. More careful thinking-out of the problem/solution is called for.

    So, how does one today go about choosing a firewall? How does a firewall complement your other security programs? You can feel the frustration of many people in this forum, as they ask for advice.

    I think the solution is simplified if you think through your security plan and understand how these various exploits actually work: What is the probability of this exploit or that getting into your computer in the first place, and then how do they execute/install. Your risk assessment will determine the types of security measures/programs you employ.

    Then one’s preference for programs comes into play:

    1) Do you like the trend for all-in-one products?

    2) Or, the stand-alone products, each focusing on a different aspect of your security?

    If the latter, as far as firewalls go, you can ban the leaktest criteria to the land of hype.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited by a moderator: Sep 10, 2005
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Is this supposed to be a question, a debate or just a big cut'n'paste job from elsewhere?
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    A little of all, for the non-expert in thinking about firewalls. :eek:
     
  4. StevieO

    StevieO Guest

    Nice post Rmus.

    I'm always interested in leaktests etc, I seem to pass 99% of them with my setup i'm happy to say.

    I think that even though some of them may be quite challenging to some FW's, i believe all FW's etc should be capable of passing them. Unless of course we are talking about the Trick tests, that people have to allow by clicking some prompt to get through.


    StevieO
     
  5. zcv

    zcv Registered Member

    Joined:
    Dec 11, 2002
    Posts:
    355
    I'm ambivalent about these leak tests and firewall developers trying to block them, a big dallop of marketing I think. If you think about, the damage is mostly done, something malicious got in.

    I'd rather have firewalls concentrate on the in-bound side, that includes shoring up the browser, which is mostly how the crap gets in.

    Regards - Charles
     
  6. FatalChaos

    FatalChaos Registered Member

    Joined:
    Aug 6, 2005
    Posts:
    98
    It really depends. For example, if you are going to be running something like proccessguard/safe n sec, then you should be able to pass all leaktests that way. However, if you don't plan on running one of those programs you might want to consider including leaktest results in your choice of firewall.
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Almost all malware needs to connect out to do real damage (e.g. remote access trojans have to report and receive commands, keyloggers/spyware have to send the data collected, etc). A firewall with good leaktest performance has an excellent chance of detecting/blocking such communication attempts and should therefore act as the last line of defence should malware scanners fail.
    Technically, web filtering is outside the remit of a pure firewall but many do offer such a feature (though with limitations, see the Dangers of HTTPS thread).
     
  8. I'm a big fan of Outpost. Outpost has good results on leak tests.

    So clearly leaktest are an important consideration for selecting a firewall.
     
  9. zcv

    zcv Registered Member

    Joined:
    Dec 11, 2002
    Posts:
    355
    Well, glad it's "clear" for you, for me, nice to have, but as of right now, not compelling, especially since AFAIK, there are no real world exmaples.

    Regards - Charles
     
  10. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    4 trojans/worms using leaktest techniques are listed at Firewallleaktester.
     
  11. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    Ok. I'll confess I didn't read all of your argument because I had to stop early on due to some erroneous definitional type comments. You apparently are looking at "firewall" from a purely software, host-based perspective... I, personally, come from a hardware, network-based firewall perspective. You act as if the examination of outbound packets is something new and place emphasis on words like "extrusion", but it's not. Outbound filtering has always been a cornerstone of most network-based, hardware firewalls.

    A firewall is simply a security gate and it has always been up to administators to determine the "policy" associated with who and what you let in and out of said gate. In fact, the biggest security definiciencies I almost invariably see in enterprise network firewall policy configuration is a lack of much thought to bi-directional issues. Most firewall vendors sell their appliances with a default of block everything incoming unsolicited and let everything outgoing pass-thru. They do this because it's perhaps a good starting point, but it's not "locked down" by any means. Hackers know this. So, yes, the have for many years purposely designed RAT (Remote Access Trojans) that get installed unwittingly via email or somesuch mechanism behind the corporate firewall and then initiate an outbound connection. Once they have that outbound connection, everything typically sails right through the firewall because it's now a permitted and established connection that was initiated internally.

    Software and host-based firewalls have a singular advantage over network-based, hardware firewalls: their ability to associate a running process or application with a given set of packets. That is, because the software is running on the end-point of the communications... it can associate the conversations with actual apps. Network based firewalls have to solely make decisions based upon the information on the wire. They don't have access to anything else. Therefore, IMHO, it is simply an extension of the well-established BI-DIRECTIONAL security policy principle to go ahead and utilize application restrictions in host-based, software firewalls. It's not a new suite of functionality in my opinion... it's a logical extension of what was always envisioned but just not technically possible based on wire information alone.

    In summary, yes, I think leaktests are important for host-based firewalls and that they are relevant.
     
  12. zcv

    zcv Registered Member

    Joined:
    Dec 11, 2002
    Posts:
    355
    Hi Paranoid,

    Ok, but in reading the "fine" print from the test site, just because the firewall passes the "tests", doesn't mean it's not vulnerable to a take down. In my mind, relying on the firewall alone doesn't assure you of all that much. We're back to a layered defense :) on which all of us can agree.

    The original question: Leaktests: Should they be considered in selecting a Firewall? Yes, a consideration, but at this point, not the primary one for me. As the threats evolve, the firewalls will evolve with them.

    Regards - Charles
     
  13. ghost16825

    ghost16825 Registered Member

    Joined:
    Feb 1, 2005
    Posts:
    84
    Come on now, did you actually read the links provided?

    substitution:

    The author of this page doesn't know what the word 'substitution' means.
    Just being named similarly to a legitimate file is NOT substitution - get a dictionary.

    The W32.Welchia.Worm does not replace the existing DLLHOST.EXE.
    Either does "The Beast" trojan replace the existing SVCHOST.EXE.

    launcher:
    W32.Vivael@MM could be interesting in that it replaces Shell Open and Print commands with it's own executable file. It also launches the browser with one of these websites:
    http:/ /jeremybigwood.net
    http:/ /news.bbc.co.uk
    http:/ /www.commondreams.org
    http:/ /www-ni.laprensa.com.ni
    http:/ /www.soc.uu.se
    http:/ /www.cannabisculture.com
    http:/ /www.chilevive.cl
    http:/ /membres.lycos.fr
    http:/ /www.movimientos.org

    Wow, how disturbing!

    None of this is even remotely network related except for this:

    It's hard to find a firewall that would actually allow this, unless you firewall allows all programs remote access to port 25. Nothing to do with attacking the firewall functionality at all, and I don't even think it has anything even remotely similar in common to the leaktests listed.

    As for the Beast and Flux trojans, think about this for a second. Without so-called 'leaktest' protection mechanisms, whether you get an alert depends on what kind of traffic these trojans attempt to send out and also how tight your firewall is.

    The only reason for having 'leaktest' protection measures in a firewall is if your ruleset is overwhelmingly lax to begin with. That, and you also have no other security measure that is more effective in countering this attack vector.

    I'm a big fan of painkillers. Painkillers have good results in removing pain. So clearly pain removing properties are an important consideration for selecting what kind of drug to take. 100% troll material.
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    It never occurred to me that one could infer that I felt that outbound monitoring was something new. However, after re-reading, I can see how that could happen. Of course, for me to suggest something like that would be absurd, as anyone with a good rule set firewall can attest. In my Kerio 2 Rule Set Tutorial For Beginners, I even have a section devoted to suggestions for setting up outbound application rules. My point was that those leak tests were created to show how the normal outbound monitoring could be bypassed by trojans exploiting so-called weaknesses. That these exploits are not documented in the wild (AFAIK) has been lost on most people, and have assumed a life of their own.

    Even a firewall, without good leaktest performance (referring to those specific leak tests on the site you cite) and properly configured, can detect/block such communication attempts, as I showed in the trojan I was able to test, using Kerio 2. See: How a Trojan Installs

    Don’t you think most people think of their firewall as part of their defense? My point is that these leaktests in question have created a dilemma for people, causing them to question whether or not their firewall is "up to muster." Most recently in another thread:

    -----------------------------------------------------------
    I need a free firewall, but it really doesn't matter for inbound,
    because i have a router. I went to the firewallleaktester site,
    and ZAF had passed only one leaktest more than Kerio [2.1.5],
    and that was DNS Tester. Which should i choose? I like Kerio
    because it's rule based, and because it is very light.
    -----------------------------------------------------------

    Both are excellent firewalls, and his decision shouldn’t have to be based on that leaktest performance, rather, just the fact that he wants Kerio because it’s rule-based.

    There was just one reponse to the original poster:
    -----------------------------------------------------
    To be honest, while the leak tests are important they
    shouldn't be your only guide when deciding what firewall
    you wish to use. In addition there are other tools such as
    Process Guard which can help prevent these leak tests
    (i.e in real life trojans/viruses) from ever running.

    If you like Kerio, use Kerio. It's a good firewall, and
    plenty of people use it.
    ----------------------------------------------------

    (see: ZAF vs Kerio 2.15 Outbound)

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Aug 30, 2005
  15. Are you certain these techniques are not out in the wild? Many seem trival to do and can be generalised to affect a wide range of setups. Or are so few people using personal firewalls that it's not worth their effort to try to bypass? That doesn't seems very likely to me.

    I guess my question is this.

    If leaks tests are purely in theory and are not used by malware in the wild, does that mean almost all trojans can be stopped from connecting outwards by a basic firewall, leak tests results not withstanding?

    Or does the performance of leaktests have zero to say about this, because trojans are using other methods (not covered by the known leak tests) to bypass firewalls?

    On a secondary note, I read that the rootkit defender $$$ edition isn't designed to bypass personal firewalls :)
     
    Last edited by a moderator: Aug 31, 2005
  16. ----

    ---- Guest

    So you have an example of one trojan that doesn't attempt to hide.
    Is this representative of what is likely to be faced? Actually I think it is, at least if you go by the ones that are listed in the antivirus databases

    Still I suspect there is some selection bias going on, because these are the very types of trojans that are mostly easily spoted and reported. Ones that use more tricks are less likely to be spotted.


    Indeed. The problem is I think while leak tests are important, ultimately it's a losing battle. Any trick the firewall tries to counter, there's another one waiting in the wings, and pretty soon, the firewall morps into somekind of system babysitter, where it prompts you for permission for the smalled and most irrelevant event just to claim that it can block a leak test.

    I hear, people like to call that HIPS in this forum. :)
     
  17. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The idea of a leaktest is to bypass a firewall, either by exploiting an application or protocol that is likely to have access or by gaining access to network resources in a fashion not monitored by a firewall. "Leaktest protection" (a misnomer if ever I heard one since leaktests do not try to attack firewalls) is largely firewalls extending their monitoring to inter-process communication. Rulesets have little bearing on leaktest performance unless you choose to block all traffic (only one of the leaktest techniques listed can be blocked by tightening rulesets).

    As for quibbling about the seriousness of malware, this is missing the point. A previous post asked for examples of malware using leaktest techniques - examples were given. With the lengths taken by some malware to conceal itself (rootkits, etc), adopting leaktest techniques to circumvent the most common firewalls would seem a pretty small step for serious malware creators.
    Good. People need to periodically review their firewall as threats evolve - just as they need to review their scanners and other security software. More importantly, vendors need to review (and correct any loopholes) in their products. Do you really see this as a problem?
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    From the vendors' point of view, no, because of the fierce competition.

    From a user's point of view - it depends of your concept of what a firewall is supposed to do, as I mentioned in my post.

    In the future, it may be a moot point, if the so-called HIPS products start to incorporate a firewall (OA), and as a firewall becomes more like a HIPS product (Kerio 4 uses this term). We may see the gradual demise of the stand-alone firewall as it was originally conceived.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  19. ghost16825

    ghost16825 Registered Member

    Joined:
    Feb 1, 2005
    Posts:
    84
    The vast majority I have seen do not do the latter. That is to say, they do not access network resources in a way not monitored by the firewall. Malware or leaktests using WinPCAP or accessing the network interface directly is much rarer, even in the wild. Creating packets at such a low level, even with WinPCAP is not worth the effort when higher-level APIs exist. Ditto for direct network interface access. Nearly all of the leaktests I have seen use an application that is likely to have access, and this app has nearly unrestricted access due to the firewall ruleset.

    No, that's false. It doesn't matter which class of leaktests you're talking about. Most can be mitigated by using a tighter firewall ruleset.

    No, some of these examples were unrelated. Of the ones that were none of these 'techniques' were used as an attack vector. For the IE example above, none of these sites used an existing IE flaw to create a drive-by download. Even if they did, wouldn't you say IE was the attack vector and not the 'leaktest' technique?
     
  20. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Several of the leaktests (ab)use Internet Explorer due to it being the most common browser - it would be a simple matter to change them to check for the default browser (to pick up on Opera/Firefox/Mozilla users) or another Internet-accessing application, so it would be unwise to consider leaktests an IE-only phenomenum (though the "hidden window" TooLeaky is IE-specific).
    Care to provide a concrete example of such a "tighter" ruleset that would somehow detect (let alone prevent) a code or DLL injection? Aside from the (artificial) situation of blocking all traffic for applications or blocking those sites used by leaktests (which, while blocking the test itself, would have no effect on malware using similar techniques), rulesets make no difference (except for DNSTester as mentioned previously).
    Attack vectors and leaktests are opposites - attack vectors are methods for malware to get onto a system and leaktests are methods for malware to send data out. The example you give is therefore non-applicable.
     
  21. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    Rmus, interesting question, even if a little bit "old".

    *The first goal of a firewall is to prevent intrusion with packets filtering.
    It's not to detect a dll injection in the browser or any other application.
    Therefore, incoming connections tests are more important (online scans, NMAP, Nessus etc).
    Leaktests are just demonstrations tools, and could help an user who hesitates between 2 or 3 firewalls.
    Currently, Jetico, Outpost and Look'n'Stop have the best results for leaktests (more than 15/21).
    But some firewalls do their job as well as Jetico and friends for filtering incomming connections (Injoy, PortLock etc) without impressive results for outgoing connections.

    For you own test, you can take a look at some "old" demonstrations tools like Backstealth or Firewar: http://freeweb.supereva.com/piorio/index.htm?p

    More info about the subject: http://assert.uaf.edu/classes/pres/wu/Wu.htm

    *Windows integrates many protocols, and it means many possibilities to bypass the firewall (with or without leaktest methods).

    *Actually, the most advanced trojans use API hooking in the browser or in a legitimate application (with permission rule).
    A proof-of-concept trojan has been released for BlackHat Europe 2004 which demonstrates how to bypass a firewall with API injection.
    Unfortunately, the paper provides the name of the trojan (not detected by AVs) and the site where to download it: then no reasons to give more opportunities for ScriptKiddies...


    Generally, malwares are more and more sophisticated and use more and more stealth and rootkits methods: http://www.securityfocus.com/news/11300
    That's why proactive security softs based on behavioral recognition should be more considered on a line defense.
    It's not the job of a firewall to detect these kind of methods: a firewall should only have firewall features.

    Regards
     
  22. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    It's probably fair to say most Windows firewalls are going beyond pure network traffic filtering in order to counter stealthing techniques - blocking unsolicited incoming traffic is critical but since every firewall does this (even Windows' own), vendors are expanding the remit of their products both to differentiate them from competitors and to address current/future threats.
     
  23. diddi

    diddi Guest

    ghost16825, what are you talking about? Leaktest methods have been used by trojans for years - you even mentioned two examples (Beast, Flux).

    And how do you want to stop their connection attempts with a purely rule-based firewall like, say, Kerio2.15? Blocking your browser's outgoing TCP, port 80?! *lol*
     
  24. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Just some random observations:

    1. The leaktest tests the firewall. Who tests the leaktest? Maybe we should be talking to them.

    2. I liked the original post. The poster indicated that they themselves chose their firewall after consulting with someone who was more expert than himself, so why nit-pick about definitions?

    3. the responses attributed to the firewall venders probably represent as much or more evolution as their products. I seem to recall they were not always so receptive of tests. Not sure why they are sucking up so much. If this leaktest guy is so hot, maybe one of them should offer him a fat salary to work for them. (Officially, I mean).

    4. I don't like "suites" much. I suppose they mark an advance for the person who would only have a firewall and nothing else. Obviously, it may be usefull for the malware author who is trying to circumvent a firewall to know what other security programs will be present.

    5. Since I am not an expert I pay my money and take my chances. I feel it would be couterproductive for me to download a test designed to find holes in my computer. Since my firewall maker already has the keys to the castles i see no harm in using their leak tests, but the rest of these tests can test someone else! My firewalls developers need to know this stuff more than I do!

    6. Last string of defense notwithstanding, I do have to go along with the concept of "if I can't keep them out, I'm f----d!" Just being honest. It's gettings so even if you know your computer is infected, and you know what the malware is, you still have no guarantee that you can remove it completely. Hell, security programs now start redifining malware as legitimate. Something is better than nothing, but somethings aren't much better.


    These are just my layman's thoughts on the subject. I definitely don't want to discourage anything that advances my security programs, but since we are weighing in on this, no, i don't think the tests are important from the standpoint of selecting a firewall. Usability, and dependability are more important.



    -HandsOff
     
  25. Syncman9

    Syncman9 Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    113
    Location:
    UK
    HandsOff, I like your last point and I think that usability, and dependability are important, as well as the UI.
    I feel the leak tests are important, and to me, they should be weighed up when considering what firewall you want. I for one use then test to narrow down my choice and then finally decide by how well it works for me.
     
Loading...
Thread Status:
Not open for further replies.